COCONE PRIVACY NOTICE(GDPR)

Created: August 31, 2018

Last revision: December 9, 2022

  1. 1. Summary

    1. (1) About the COCONE Privacy Notice

      cocone corporation (referred to below as “Company,” “we,” or “us,” or “Our Company”) respects the privacy of all individuals associated with the Company (referred to below as “Data Subjects”, defined in “2. Terms”) and appropriately protects the personal data of Data Subjects in accordance with the GDPR.
      The COCONE Privacy Notice (referred to below as “Notice”) describes the types of personal data we collect, how we handle personal data, the third parties with whom we share personal data, and the rights Data Subjects can exercise with respect to our handling of personal data.

    2. (2) Applicable to

      This Notice applies in relation to Data Subjects located within the European Union.
      For those not currently residing in the EU, please refer to the COCONE Privacy Policy or COCONE Privacy Notice (CCPA privacy policy) .

    3. (3) Miscellaneous

      Business practices involving the handling of personal data may differ in each country in which we operate, in order to reflect local practices and legal requirements of each country.

  2. 2. Terms

    The definitions of terms used in this Notice are as follows.

    GDPR

    Refers to the General Data Protection Regulations 2016/679 (EU General Data Protection Regulation).
    Applicable privacy laws

    Collectively refers to the GDPR, the United Kingdom’s Data Protection Act, and Japan’s Act on the Protection of Personal Information.
    EU

    Refers to EU member states, as well as Norway, Iceland and Liechtenstein, which are part of the European Economic Area (EEA).
    Data Subjects

    An identified or identifiable natural person.

    *Refer to GDPR Article 4(1)
    Personal data

    Information about a Data Subject that may directly or indirectly identify the Data Subject, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more elements of the physical, physiological, genetic, psychological, economic, cultural, or social identity of the natural person concerned.
    The possibility of identifying the Data Subject is determined by taking into account all reasonably possible means that could be used by the data controller or other persons.
    *Refer to GDPR Recital (26) and (30), and Article 4(1)
    Special types of personal data

    Refers to personal data that reveals racial or ethnic origin, political opinions, religious or ideological beliefs, or labor union membership; as well as genetic data, biometric data intended to uniquely identify a natural person, health data, or data concerning a natural person’s sex life or sexual orientation.
    Controller

    Refers to a natural or legal person, public agency, department, or other organization that alone or jointly with others determines the purposes and methods of handling personal data.
    *Refer to GDPR Article 4(7)
    *Refers to the Company within this Notice.
    Processor

    Refers to a natural or legal person, public institution, department or other organization that handles personal data on behalf of the controller.
    Third party

    Refers to a natural or legal person, public authority, department or other organization other than Data Subject, controller, processor and persons authorized to handle personal data under the direct authorization of the controller or processor.
    Our group companies

    Refers to a corporation in which the Company directly or indirectly owns a majority of the shares or a majority of the votes for the election of directors (including persons in similar roles).
    Handling/use/processing

    Refers to any business practice or set of business practices performed on personal data or a set of personal data, such as collecting, recording, compiling, editing, composing, record-keeping, modifying or altering, querying, referencing, using, disclosing by transmission, distributing, or otherwise making available, aligning or combining, restricting, deleting, or destroying, whether by automatic means or otherwise.
    *Refer to GDPR Article 4(2)
    (Data Subjects’) consent

    Refers to a freely given, specified, pre-explained, and unambiguous indication of a Data Subject’s intention, whereby the Data Subject expresses consent to the processing of personal data related to them by means of a statement or an explicit act.
    Transfer ex-region

    Refers to the transfer of personal data from a location in a country or region within the EU to a location in a country or region outside the EU (including, but not limited to, Japan, the country in which our Company head office is located).
    SCC (SDPC)

    Standard Contractual Clauses (Standard Data Protection Clauses). Refers to an agreement between a business located within the EU and a business located outside the EU regarding ex-region transfers.
    Profiling

    Refers to automatic processing of personal data in any form, consisting in the use of personal data in order to evaluate certain personal aspects associated with a natural person (in particular, to analyze or predict aspects related to ability to perform work, economic status, health, personal preferences, interests, reliability, behavior, location and mobility of such natural person).
    *Refer to GDPR Article 4(4)

  3. 3. Name and address of controller

    Name: cocone corporation

    3-1-18, Wakabayashi, Setagaya-ku, Tokyo, 154-0023

    Email:info@cocone.co.jp

    Website:https://www.cocone.co.jp/

  4. 4. Name and address of Data Protection Officer (DPO)

    Name: cocone corporation Personal Information Inquiry Representative

    3-1-18, Wakabayashi, Setagaya-ku, Tokyo Prefecture, 154-0023

    Email:info@cocone.co.jp

    *Our head office is located in Japan.

    Please note that we may not be able to respond immediately should an inquiry be made after business hours.

  5. 5. Personal data acquired and purpose of use

    1. (1) As a provider of smartphone applications or web services (including but not limited to social games, puzzle games, e-commerce services, language services, and other related services; collectively referred to below as “Services”), we acquire personal data in a legal and appropriate manner and use it within the scope necessary to achieve the following purposes.

      (i) Personal data of customers of our Services

      Personal data we acquire Purpose of use
      Name

      1. To deliver prizes for campaigns and contests

      2. To contact you as necessary when conducting questionnaires, interviews, etc.

      3. To notify you of matters necessary for the operation of our Services and to respond to various other inquiries

      4. To prevent and respond to fraud, etc.
      Date of birth

      1. To obtain age-appropriate analysis results when conducting questionnaires, interviews, etc. with customers

      2. To provide, solicit, advertise or otherwise market the Company’s or a third party’s products and services in accordance with the interests of customers based on age analysis conducted within Our Company or a third party medium

      3. To determine the legality of the Customer’s actions, such as determining whether or not consent of a person with parental authority is needed when billing for our Services, entering a campaign or sweepstakes, etc.
      Gender

      1. To provide appropriate and effective after-sales service for our Services

      2. To obtain gender-appropriate analysis results when conducting questionnaires, interviews, etc. with customers

      3. To provide, solicit, advertise or otherwise market the Company’s or a third party’s products and services in accordance with the interests of customers based on sex analysis conducted within Our Company or a third party medium
      E-mail address

      1. For user management of our Services (e.g., to transfer customer service data between different devices, such as when changing device models)

      2. To deliver prizes for campaigns and sweepstakes

      3. To notify you of matters necessary for the operation of our Services and to respond to various other inquiries
      Address and postal code

      1. To deliver products purchased through our Services and prizes for campaigns and contests, and to provide after-sales services related to such products and prizes

      2. To obtain analysis results based on the place of residence (country of residence, etc.) when conducting questionnaires, interviews, etc. with customers

      3. To notify you of matters necessary for the operation of our Services and to respond to various other inquiries
      Telephone number

      1. To deliver products purchased through our Services and prizes for campaigns and contests, and to provide after-sales services related to such products and prizes

      2. To notify you of matters necessary for the operation of our Services and to respond to various other inquiries
      Bank account information, wallet address

      To perform procedures necessary for transactions (e.g., payments, revenue processing)
      Credit card data

      To utilize as payment information for customers who chose “credit card payment” when paying for our Services
      In-service user name

      1. To manage (identify) users of our Services

      2. To notify you of matters necessary for the operation of our Services and to respond to various other inquiries

      3. To prevent and respond to fraud, etc.
      Cookie data

      (e.g., service usage history, browsing history, location information, IP address, device type, OS, browser type, device UID, etc.)

      1. To manage users of our Services

      2. For the maintenance and administration of our Services (e.g., to maintain stable web sessions)

      3. To simplify data entry of customer information when using our services, such as saving user settings

      4. To process payments for Customers who are paying for our Services for the first time, or who purchase products through our Services for the first time

      5. To improve and enhance our Services, and to plan, research, and develop new services

      6. To research and analyze marketing data, and to consider and implement marketing measures

      7. To provide, solicit, advertise or otherwise market the Company’s or a third party’s products and services in accordance with the interests of Customers based on browsing history analysis conducted within Our Company or a third party medium

      8. To prevent and respond to fraud, etc.
      Advertising identifier (Advertising Identifier (iOS), Google Advertising ID (Android OS))

      1. To determine whether or not our Services are being used on the Customer’s device and to obtain the results of analysis of usage of our services, etc.

      2. To improve and enhance our services, and to plan, research, and develop new services

      3. To research and analyze marketing data, and to consider and implement marketing measures

      4. To provide, solicit, advertise or otherwise market the Company’s or a third party’s products and services in accordance with the interests of Customers based on browsing history analysis conducted within Our Company or a third party medium
      Other
      (e.g., information provided by customers when making inquiries, contacting us, etc.)

      To respond to inquiries and contact Customers

    2. (ii) Personal data of business partner representatives

      Personal data we acquire Purpose of use
      Name

      1. To contact you regarding a transaction

      2. For the purposes of procedures necessary for transactions (e.g., payments, revenue processing)
      E-mail address
      Address and postal code
      Bank account information
      Telephone number
      My Number (personal identification number)

    3. (iii) Personal information of shareholders

      Personal data we acquire Purpose of use
      Name

      1. To prepare records (shareholder registry, etc.) and manage shareholders in accordance with various laws and regulations

      2. To send materials, etc. related to the General Meeting of Shareholders

      3. To exercise rights and perform obligations under corporate law
      E-mail address
      Address and postal code

    4. (iv) Personal data of employees, etc. (including their dependents)

      Personal data we acquire Purpose of use
      Name

      1. To perform procedures necessary in managing the employment process, including those related to joining the Company, social insurance, providing benefits, work-related contact, various procedures required by law, and other procedures required in managing the employment process

      2. To contact and perform procedures in the event of a celebration or untimely event, such as marriage or death, and to perform other procedures necessary in connection with personal changes to employees, etc.

      3. To perform duties related to wages, bonuses, retirement benefits, corporate pensions, etc.

      4. To ensure that the Company takes appropriate measures to ensure health management, safety management, and a proper working environment, or to enable the Company to fulfill its duty of ensuring that employees, etc. conduct appropriate health management

      5. To perform procedures necessary for work-related communication and business activities

      6. To perform other office work such as the below

      – Office work related to employment insurance notifications, etc.

      – Office work related to health insurance and welfare pension notifications, etc.

      – Office work related to category 3 national pension filings

      – Preparation and submission of withholding tax certificates and other withholding tax-related matters

      – Office work related to each of the above items
      Date of birth
      Gender
      E-mail address
      Address and postal code
      Telephone number
      Current and past affiliations
      Employment history and occupation
      Personnel evaluations and self-assessments
      Education and qualifications
      Family Information
      Bank account information
      Salary Information

      (e.g., base salary, bonuses, benefits, work status, income tax, resident tax, withholding tax)
      Social insurance information
      (e.g., health insurance, Employee pension, Industrial accident compensation insurance, employment insurance)
      Health information

      (e.g., information on medical examination results, health information related to leaves of absence, etc.)
      My Number (personal identification number)

    5. (v) Personal data of prospective hires

      Personal data we acquire Purpose of use
      Name

      1. For employment selection

      2. To contact and provide information to prospective employees
      Date of birth
      Gender
      E-mail address
      Address and postal code
      Telephone number
      Employment history and occupation
      Education and qualifications
      Family Information
      Salary Information
      (e.g., base salary, bonuses, benefits, work status, income tax, resident tax, withholding tax)

    6. (2) We may change the purposes for which we handle personal data to a reasonably deemed extent in relation to the purposes set forth in the preceding clause.

  6. 6. Legal basis for handling personal data

    1. (1) We only process personal data obtained in the following situations (refer to Article 6, Clause 1 of the GDPR).

      (i) Where the Data Subject has given consent for the handling of their personal data for one or more specific purposes.

      • *The consent in (i) above is voluntary, and the Data Subject may refuse the submission of personal data or withdraw their consent at any time after it is given. However, if certain personal data is required in order to provide our Services, we may be unable to provide all or part of those Services to a Data Subject who has refused to provide personal data or who has withdrawn their consent.

        *If a Data Subject is under 16 years of age (or under the minimum age set by the EU Member State, if that state has set a lower age), we will only process the personal data with the consent or authorization of a parent or legal guardian (refer to Article 8, Clause 1 of the GDPR).

    2. (ii) Where use of the data is necessary in implementing an agreement of which the Data Subject is a party, or where its use is necessary to take measures at the request of the Data Subject prior to the conclusion of an agreement.

    3. (iii) Where the use is necessary to comply with legal obligations to which we are subject.

    4. (iv) Where the use is necessary to protect the life-related or other important interests of the Data Subject or other natural person.

    5. (v) Where the use is necessary for the performance of duties for public interests, or in the exercise of official authority granted to the Company

    6. (vi) Where the use is necessary for the purposes of a legitimate interest sought by the Company or a third party (unless the interest of the Data Subject and the fundamental rights and freedoms of the Data Subject seeking protection of the personal data supersede that interest, particularly if the Data Subject is a child).

      • *Legitimate interests include, for example, the following:

      • a. Maintaining customer safety and security and improving service environment
        We reserve the right to provide personal data to investigative agencies where permitted by law in order to prevent criminal acts between customers on our Services, or to prevent the spread of criminal damage that has already occurred. We also reserve the right to handle personal data to prohibit the use of our Services by customers who have committed criminal or other illegal acts.

      • b. Detecting and preventing fraudulent activities against our Services and improving security
        We reserve the right to handle personal data in order to detect and prevent persons committing fraud against our Services. We also reserve the right to use personal data to perform necessary analyses for the purpose of improving the security of our Services.

      • c. To provide customer support

      • d. To provide proper marketing to customers

    7. (2) We do not use special types of personal data unless we have obtained the explicit consent of the Data Subject or unless otherwise permitted by Article 9, Clause 1 of the GDPR (see Article 9, Clause 1 of the GDPR).

  7. 7. Method of acquisition of personal data

    • We obtain personal data through the following methods.

    • (i) Obtaining data directly from the Data Subject (e.g., entry of personal data in application forms, etc.)

    • (ii) Obtaining data indirectly from the Data Subject (e.g., automatically obtaining IP addresses and other information from persons who visit our website and other sites by using cookies, advertising identifiers, and other similar technologies for tracking or analysis).
      *The Data Subject may, at any time, prevent us from retrieving information via cookies or certain types of advertising identifiers (Advertising Identifier (iOS), Google Advertising ID (Android OS)) through their Internet browser settings or smartphone operating system (OS) settings. However, if cookies or advertising identifiers are not provided, we may be unable to provide all or part of our services.
      *We may use Google Analytics to analyze access to our website and our services. Data collected through the use of Google Analytics is handled in accordance with Google’s Privacy Policy. Please refer to Google’s official pages below.

      Google Analytics Terms of Use

      Use by Google of information collected from sites and applications that use Google services

  8. 8. Provision of personal data

    1. (1) We may provide personal data we acquire to third parties as follows.

      • (i) Personal data may be provided to investigative agencies in the following cases.

        – Where required to disclose information in accordance with legal obligations to which we are subject
        – Where we believe that disclosure is necessary to protect life-related or other important interests of the Data Subject or other natural persons.
        – Where we determine that disclosure is necessary to investigate suspected illegal activities, regardless of whether or not actual damage has occurred.

      • (ii) We may provide Customer advertising identifiers (Advertising Identifier (iOS), Google Advertising ID (Android OS)) to advertising agencies and other companies for the purpose of delivering advertisements that are best tailored to the Customer’s individual interests.

      • (iii) We may outsource all or part of payroll calculation, social insurance procedures, customer service, etc. to external tax accountants, social insurance consultants, and other companies (referred to below as “Subcontractor” or “Subcontractors”), and may also outsource the handling of the minimum required personal data for the performance of such outsourced services.

      • (iv) We may share personal data with our group companies for the following purposes.

        – To provide comprehensive services to Customers
        – To periodically report to subsidiaries for the purposes of system maintenance, data hosting, pension plan administration, or general subsidiary management in the course of business or group reorganization.

      • (v) If the Data Subject consents to the provision of their personal data to a third party for one or more specific purposes, their personal data may be provided to the third party.

        *The consent in (v) above is voluntary, and the Data Subject may refuse the submission of personal data or withdraw their consent at any time after it is given. However, if the provision of certain personal data to a third party is required in order to provide our Services, we may be unable to provide all or part of those Services to a Data Subject who has refused to provide personal data to a third party or who has withdrawn such consent.

    2. (2) In the case of items (ii) through (v) of the preceding clause, we will properly supervise the third party by concluding a contract or other using other means, and require the third party to ensure proper security and handling of personal data in accordance with the law and this Notice.

  9. 9. Ex-region transfer

    We may transfer personal data out of the region only in the following cases.

    1. (i) When transferring personal data to a country or territory that has received an Adequacy Decision from the European Commission as satisfies the conditions for ex-region transfers (refer to Article 45 of the GDPR)

    2. (ii) Where we have entered into an SCC (SDPC) with the entity to which personal data is transferred (refer to Article 46 of the GDPR).
      *Please contact the Data Protection Officer (DPO) for information regarding the SCC (SDPC) that we have entered into.

    3. (iii) Where it is not possible to enter into an SCC (SDPC) and the following exceptional circumstances in specific situations are met (refer to Article 49 of the GDPR).
      – If the Data Subject expressly consents to the proposed transfer after being informed of the risks that may be posed to the Data Subject.
      – Where transfer is necessary for reasons of serious public interest.

  10. 10. Rights of Data Subjects

    Applicable privacy laws grant Data Subjects the following rights.

    Note that the Data Subject can contact the Data Protection Officer (DPO) at any time to assert these rights.

    1. (i) Right to receive information relating to the processing of personal data (refer to Articles 13 and 14 of the GDPR)

      The Data Subject has the right to receive from the Company any information that the Company is obligated to provide in connection with the use of personal data, such as the identity and contact details of the controller and the purposes for which the personal data is planned to be used.

    2. (ii) Right to access (refer to Article 15 of the GDPR)

      The Data Subject has the right to obtain confirmation from the Company as to whether or not personal data related to the Data Subject is being used and, if so, to have access to such personal data and related information.
      However, we reserve the right to verify the identity of the person requesting information in order to prevent unauthorized persons from accessing personal data, and we reserve the right to refuse to provide such information if we are unable to verify their identity.

    3. (iii) Right to correction or deletion (refer to Articles 16 and 17 of the GDPR)

      The Data Subject has the right to have the Company rectify inaccuracies in personal data related to the Data Subject. The Data Subject also has the right to the deletion of personal data related to them if certain legal conditions are met.

    4. (iv) Right to request restrictions on the processing of personal data (refer to Article 18 of the GDPR)

      The Data Subject has the right to obtain restrictions on the processing of personal data relating to the Data Subject if certain legal conditions are met.

    5. (v) Right to data portability (refer to Article 20 of the GDPR)

      Provided that certain legal conditions are met, the Data Subject has the right to receive personal data relating to themselves from the Company in a systematic and commonly used format. The Data Subject also has the right to transfer such personal data to another controller without hindrance from the Company.

    6. (vi) Right to object (refer to Article 21 of the GDPR)

      The Data Subject has the right to object at any time to the processing of their personal data by the Company, provided that certain legal conditions are met (includes scenarios where the personal data is processed for direct marketing purposes).

    7. (vii) The right not to be subject to decision-making based on automated processing (see GDPR Recital (71), Article 22)

      The Data Subject has the right to not have personal data relating to them be subject to decision-making based on automated processing (including profiling) when it would have legal effects or similar material effects on the Data Subject, except in certain cases.
      *We do not make decisions based on automated processing.

    8. (viii) Right to withdraw consent (refer to Article 7, Clause 3 of the GDPR)

    9. (ix) The right to file a complaint with a supervisory authority

      The Data Subject has the right to lodge a complaint with a supervisory authority at any time.

      *However, we would appreciate it if you would first contact the Data Protection Officer (DPO) to give us the opportunity to respond to your complaint directly.

  11. 11. Retention period of personal information

    We retain personal data only for as long as is reasonably necessary to fulfill the purposes for which it is used (including meeting legal, regulatory, governmental, tax, accounting standards, and disclosure requirements).
    Upon expiration of the retention period, we will promptly delete the personal data.

  12. 12. Safety control measures

    We establish proper security and maintain adequate technical and organizational safety control measures to protect personal data from accidental loss, unauthorized handling, unauthorized access, falsification, and leakage.
    Also, if a data leak or equivalent occurs where reporting is required by law, we will report it to the Data Subject and the authority in question.

  13. 13. Privacy notice updates

    1. (1) In order to reflect changes in our policy regarding the handling of personal data, or to respond to changes in applicable laws and regulations, etc., we may post an explicit notice on our website, application, or other service screen and indicate the date of the last update at the beginning of this Notice, and then change the content to the updated content after a certain grace period.

    2. (2) In certain cases, we may request consent from the Data Subject when updating this Notice. Such consent is voluntary and can be refused by the Data Subject. However, if updating this Notice is necessary in order to provide our Services or to comply with legal requirements, etc., we may be unable able to provide all or part of our Services to a Data Subject who refuses to consent to such updating.